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NETWORK ACCESS CONTROL SYSTEM AND PROCESS 

BACKGROUND OF THE INVENTION 

1. Field of The Invention: 

5 The present invention relates generally to a centralized, server, based 

approach to Internet and similar computer network of networks content 
monitoring and user authorization. More particularly, it relates to a system and 
process which uses dynamically down-loadable user specific filters from a 
central server for content monitoring and user authorization in a network of 
10 networks. 

2, Description of the Prior Art* 

Much press has been made in recent months over public desire for 
restricting access to indecent text and graphics on the Internet. Parents and 
schools have raised legitimate concerns about the ease with which children can 

1 5 gain exposure to pornographic, violent, racist and other indecent materials, 
especially in graphical forms found on the fast expanding World Wide Web 
(WWW). Most recently, the Telecommunications Reform Act signed by 
President Clinton legislates Internet censorship and stiff punitive measures to 
enforce these desires. However, most users and advocates of the Internet agree 

20 that such government regulation is not the answer. The upshot of this 

groundswell has been the overnight development of a marketplace for products 
that empower parents, schools and corporations to choose the Internet content 
that children, students and employees experience. Proposals for voluntary 
ratings on Internet sites are also in progress and are being actively added to 

25 legislation. 

While first generation Internet content monitoring products represent a 
good first step, they only offer a partial answer, and one that has many 
shortcomings. The first generation of Internet content monitoring products arose 
from existing technology which monitored the use of local software on a PC for 
30 indecent or violent content based on keyword lists. These products were 

extended to monitor hostnames, URLs and other Internet content that appeared 
on the PC using these keyword lists. For example, the keyword lists commonly 
distributed with these products include general words like "erotic", "sex" and 
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"xxx", and sometimes specific hostnames, like "playboy.com" The principle 
behind these lists is to deny access to sites, URLs, or any document that contains 
these keywords. So, if the user of the PC typed "playboy.com" in his browser 
screen to go to that site, the software would actively deny access and stop the 
5 browser from going to that site, or at least log the instances of keyword 
violations for later review by an authorized administrator, such as a parent or 
teacher. 

There are a number of reasons why this approach is ill suited to the 
Internet 

10 L Deny keyword lists lag behind the growth of the Internet. 

The Internet is growing too fast and is too smart to be bottled up by keyword 
lists. To begin with, updates of keyword lists lag behind the actual creation and 
appearance of "bad" sites on the World Wide Web. Some products only update 
their lists once a month as part of a subscription service. Most don' t allow 

15 parents and teachers to customize the lists themselves. Others don't provide any 
update service at ail. All of these factors mean that there will be large holes in the 
protective screen that these products intend to cast over Internet content. 

2. "Bad" words must be used to be caught by deny keyword lists. 
Denial of service keyword lists depend on the use of "obscene" language at 

20 Internet sites in order to screen them. Once the creators of Internet sites catch on 
to this, more and more "obscene" sites will use "innocent" words to thwart the 
keywords, thus diminishing the efficiency of deny keywords lists steadily over 
time. An example would be the site called www.candyland.com. Although it 
has a neutral name, it is an adult site. A keyword list could not catch and deny 

25 all of these sites without denying thousands of innocent sites by extension. 

3. No restrictions on indexes and search engines. 
Deny-based approaches do not restrict the index and search tools that users 
access. Ironically, one of the most powerful tools for breaking through the 
protective screen of deny-based monitors are the very indexes and search tools 

30 that practically all Internet surfers use for free to find information on the World 
Wide Web. These indexes can search all the available sites, both the good and 
the bad, so it is very easy to find indecent sites that do not get denied by the 
keyword lists. 

4. PC -based content monitors can be easily tampered with. 
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Most children who use the Internet are far more sophisticated users than the 
parents and teachers who are trying to restrict their access to questionable content 
on the Internet It is possible that children will be able to hack around a PC- 
based solution without a parent's or teacher's knowledge. 
5 5. Distributed PC -based content monitors are administratively 

cumbersome. 

For parents to use these products effectively, there must be constant monitoring, 
either to find new sites that are not being caught by current keywords or to send 
in requests to the software manufacturer for additions to the deny list. Internet 

10 marketing studies show that the typical parents who provide Internet access to 
their children are in a demographic that is already challenged for time by career 
pressures. It is unlikely that these parents will have the time, expertise or energy 
to learn to maintain and monitor their child's home PC. This administrative 
overhead is worse for schools that are considering implementing these solutions 

15 on every PC and Macintosh in a school district 

6. Distributed PC-based content monitors require a PC, 
The new generation of Internet terminals, which have no hard disk to store 
programs, will not be able to run this type of client software and retrieve list 
updates. 



SUMMARY OF THE INVENTION 

Accordingly, it is an object of this invention to provide a system and 
process for network access control that allows customized Internet content 
monitoring based on a centralized permit model. 
25 It is another object of the invention to provide such a system and process 

which is readily implemented using hardware that is typically present in most 
installations for Internet access. 

It is a further object of the invention to provide such a system and 
process that utilizes an extension of firewall filtering to implement the content 
30 monitoring. 

The attainment of these and related objects may be achieved through use 
of the novel network access control system and process herein disclosed. A 
network access control system in accordance with this invention has a local 
access server with a local cache for storage of recendy used user filters and sites 
35 ' accessible from the system for which access has been requested. A network 
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access server is coupled to the local access server and has storage for user filters. 
Access client software resident in the local access server uses the user filters and 
sites for which access has been requested in the local cache for making an access 
determination for a site to which a user requests access and communicates with 
the network access server to obtain an access determination from the user filters 
and site lists stored at the network access server if an access determination cannot 
be made from the user filters and sites stored in the local cache. 

In another aspect of the invention, a process controls network access in a 
system of interconnected networks by defining user access filters for determining 
if a request by a user for access to a desired site in the system should be 
permitted. Recently used user access filters and sites accessible from the system 
for which access has been requested are stored in a local cache of a local access 
server. User filters and site lists are stored at a network access server coupled to 
the local access server. An attempt is made to use the user filters and sites for 
15 which access has been requested in the local cache for making an access 

determination for a site to which a user requests access. At least one of the user 
filters and site lists stored at said network access server is used to obtain an 
access determination if an access determination cannot be made from the user 
filters and sites stored in said local cache. In a further aspect of the invention, a 
storage medium has stored therein a program, which when executed on a 
networked data processing system, will carry out the above process. 

The attainm ent of the foregoing and related objects, advantages and 
features of the invention should be more readily apparent to those skilled in the 
art, after review of the following more detailed description of the invention, 
25 taken together with the drawings, in which: 

BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a block diagram of an Internet access system employing the 
invention. 

30 Figure 2 is a block diagram of a first portion of the system shown in 

Figure 1. 

Figure 3 is a more detailed block diagram of a second portion of the 
system shown in Figure 1. 



20 
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Figure 4 is a block diagram of a second embodiment of an Internet access 
system employing the invention. 

Figure 5 is a block diagram of a third embodiment of an Internet access 
system employing the invention. 

DETAILED DESCRIPTION OF THE INVENTION 

Turning now to the drawings, more particularly to Figure 1, there is 
shown an Internet access system 10 which incorporates an access control 
subsystem 12 of this invention. The access control subsystem 12 is 
implemented with a communications server 14, one or more Remote 
Authentication Dial In User Service (RADIUS) servers 16, and a remote access 
server 18, ail connected to a network backbone 20. In the network 21 connected 
by backbone 20, users are connected to the network by dial-up connections 22 
15 through the communications server 14 or via a local area network (LAN) router 
24, also through the communications server 14. 

The network 21 connected to backbone 20 is connected to the Internet or 
other public/private network 26 through a firewall router 28. A World Wide 
Web (WWW) and File Transmission Protocol (FTP) server 30 for the network 
20 connected by backbone 20 is also separately connected to the Internet 26 through 
the firewall router 28 for security of the rest of network 21 from outsiders 
accessing the web and ftp sites of the network 2 1 . Various other heterogenous 
sites 32, 34 and 36 are also connected to the Internet 26. In addition to serving 
as part of the access control subsystem 12 for the network 21, the access control 
25 server 1 8 also serves as a central access control server for the other sites 32, 34 
and 36 shown in Figure 1, as will be explained in further detail below. By way 
of example, the network 21 might represent an Internet Service Provider (ISP). 

As represented in Figure 2, the access control subsystem 12 incorporates 
integrated software modules 38, 40 and 42, respectively comprising the 
30 RADIUS module, the network access module, and the firewall filtering module 
in security systems software 43. Because the network access module 40 works 
with the RADIUS module 38 and the firewall filtering module 42, the network 
access system and process of this invention can be implemented with hardware 
resources otherwise present on a network. Although the remote access server 18 
35 ■ is shown as pan of the network 21, many sites 32, 34 and 36 utilizing it in the 
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system and process of this invention will access it remotely through the Internet 
26. Alternatively, the routers 24, 32, 34 can be pan of networks having their 
own network access server 18. 

The remote access control subsystem 12 allows ISPs and Internet 
5 connected organizations easily to build content monitored Internet access for 
children using the power of a centralized, permit based approach. Instead of 
vainly trying to catch all the "bad" sites on the Internet, the ChoiceNet remote 
access control subsystem 12 applies the reverse logic by permitting access only 
to content approved "good" sites. All communications initiated by the user to 

10 sites that are on the permit list are allowed, while access to all other sites is 
denied by default Instead of distributing the content monitoring technology to 
every desktop PC and Macintosh accessing the Internet, the subsystem 12 
provides a centralized way to operate content monitoring using the very 
communications servers and routers that users' traffic travels through to get to 

15 the Internet. Finally, instead of trying to maintain an unwieldy list of deny 
keywords on every desktop, the subsystem 12 provides for a central, server 
based permit list thai can be easily updated on a daily or hourly basis, and that 
cannot be tampered with by the end users. 

In practice, the network access module 42 is provided with the server 14 

20 and can be used to offer both content monitored "kid" Internet accounts as well 
as unrestricted "adult" accounts, which can dial into the same communications 
servers. The remote access subsystem 12 can also be used to provide content 
monitored Internet access from school LANs using routers 24, 32 and 34. All of 
the required software is provided with each server 14 or router 24, 32 and 34. 

25 Existing servers 14 or routers 24, 32 and 34 can be updated to include remote 
access control capability. The remote access control is fully compatible with 
RAIDIUS server 16. 

Further details of the remote access control subsystem 12 are provided in 
Figure 3. Remote user 22, a child at school or at home, uses a WWW Browser 

30 and a ChoiceNet Notification Application, a Windows or Macintosh application 
that is installed on each PC or Macintosh accessing the Internet. This application 
notifies the user if a site she is attempting to access is not permitted. Disabling 
this notification application does not affect the functionality of the ChoiceNet 
network access module 42, so only the notification to the user is affected. 
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The ChoiceNet network access module 42 can be applied to dedicated 
LAN based Internet connections such as those found at schools, as well as to 
dial up Internet connections from home PCs, as shown in Figure 3. Client 
software 44 of the module 42 can reside on a router 24, 32 or 34 (Figure 1 ) as 
well as a communications server 14. RADIUS client software 45 is also resident 
on the communications server 14. 

When user 22 logs in through the communications server 14, the 
RADIUS client software 45 first determines if user 22 is authorized bv checking 
his password through RADIUS server 16, utilizing user profiles 46. The user 
profiles 46 also identify a filter "F(Timmy)" in his user profile 46. After 
checking user 22's authorization, the RADIUS server 16 supplies the filter 
identification through the RADIUS client 45 along with the verification 
acknowledgement for the user 22 for use by client software 44 for controlling 
access by the user 22 to Internet sites. The client software 44 then checks to see 
15 if the filter "F(Timmy)" is stored locally in cache 50. If it is, the client software 
44 uses it for controlling access. If not, the client software 44 sends a lookup 
request to the network access server 18, which stores the centralized permitted 
site list and the filters to be used as masks for checking access classifications of 
requested sites, to download the filter "F(Timmy)", which is maintained in the 
20 server 14 memory for the rest of the user 22's session. The client 44 also keeps 
the local cache 50 of recently requested sites and recently used user filters for 
efficiency. This list includes both sites for which access was recently permitted, 
such as whitehouse.gov as well as sites for which access was recently denied, 
such as playboy.com. When access to a site is requested, the client first checks 
25 the local cache 50 to see if the site is on the list stored there. In practice, the 
client software 44 and permit-based filtering technology is integrated in the 
communications operating system software that runs on the server 14 or routers 
24, 32 or 34. 

Installed on one of several supported UNDC platforms, the ChoiceNet 
server 18 software provides lookups of sites for the server 14 or routers 24, 32 
or 34 against a list of permitted sites. The server software also automatically 
maintains the permit list by downloading updated versions of the list over the 
Internet and compiling the list for use by the client software 42. As a result of 
this self maintenance capability, the server 18 requires minimal administrative 
35 attention. 



30 
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Provided by a commercial or non-profit organization, a third party 
content monitored search index 52 is built specifically for content monitored 
access to the Internet and contains only links to sites that are acceptable for 
children. Children who are given content monitored access to the Internet use a 
5 search index as their sole search interface, barring them from finding other 
unacceptable sites. Many such children's search indexes are currently being 
released. This same third party search index 52 provides continuously updated 
versions of the permit list that resides on the server 18, corresponding to the site 
links on its search index tool. 

10 In addition to the site lists, the network access control server 18 

maintains a set of user filters 54 which are used to control Internet access for 
each user. In response to the user 22 request for access, assuming the 
appropriate entries are found in local cache 50, the server 14 applies the filter 
"FCrimmy)" 54 as a mask to the site list in the local cache to determine if the 

15 request will be granted. The server 14 looks at each filter rule found in 

'TCTimmy)" starting from the top. When it reaches the rule permit "PTA List", 
the server 14 looks into its local cache 50 to see if www.playboy.com is on the 
PTA List If not, the server 14 sends a filter look-up request to the server 18. 
This look-up contains the list name "PTA List" and the site Timmy is trying to 

20 access (www.playboy.com). The server 18 searches list 52 and sends back the 
result Based on the result, the server 14 either permits or denies access and 
updates it's local cache 50. In the event of denial of service, the server 14 sends 
a denial message back to user 22, informing him that he cannot access that site. 
In practice, the access control system and process is implemented using 

25 an extension of the Internet Protocol (IP) firewall packet filtering employed by 
the communications server 14 for checking whether to route or drop packets to 
be sent and received by the network served by the communications server 14. 
Firewall filters are defined as an explicit set of rules based on either permit or 
deny syntax. The firewall filtering of server 14 provides bidirectional 

30 (input/output) packet filtering for source and destination addresses, for protocol 
(TCP, UDP, IP, IPX) and port (http, etc.). With an unlimited number of rules 
in each filter, today's filtering technology can quickly become an administrative 
burden due to all filters residing in each server 14 or router 24, 32 or 34 scattered 
throughout a network. The access control module 40 removes the administrative 
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buiden of filter list management by centralizing filters and filter lists in a single 
server 18 on the network 21, 

When a request for access is made by the user for which a determination 
cannot be made using the local cache 50, the server 14 drops the packet making 
5 the request to allow time for access and response from the server 1 8. Since 
drops are common on the Internet, the packet making the request is retransmitted 
a number of times before the request times out, typically at 30 seconds or so. 
The source and destination addresses in the header packet are used to identify the 
user, allowing selection of the appropriate user filter, and to identify the site for 
10 which the user desires access. An example source address identifying a user 
might be: 

192. 168.5 1.50 

An example destination address identifying a site requested by the user might be: 
172.16.3.4 

15 The server 14 uses such addresses in packet headers for making decisions on the 
handing of IP packets, such as for firewall security. Little additional overhead at 
the server is required to use these addresses for the purposes of identifying user 
filters and sites for determining site access in this system and process. If a 
particular source address represents a node that is associated with a single user 

20 who has no access restriction, then no further checking is required and no user 
filter need be employed. If multiple users are associated with a particular address 
node, then login information is used to determine which user filter should be 
applied for access requests. 

Further details on the use of Internet IP addresses in the context of packet 

25 filtering, which are helpful for a more complete understanding of the invention, 
are available in Chapman, Brent, "Network (In)security Through IP Packet 
Filtering," 1992 UNIX Security Symposium III Proceedings, p. 63-76 and in 
Chapman and Zwicky, Building Internet Firewalls, Sebastopol, CA, O'Reilly & 
Associates, 1995, particularly chapter 6 and Appendix C, the disclosures of 

30 which are hereby incorporated by reference herein. 

In addition to controlling access by a user to sites based on the nature of 
their content, the system and process of the invention can also be used, for 
example, by an Internet Service Provider to control access by users to certain 
value added services, such as a game service. When a game subscriber logs in, 

35 a user filter can be used to permit access to a game server, while allowing the 
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ISP to deny access to non-subscribers. Similarly, an ISP can allow users who 
log in with a predetermined name, such as VIPguest, access using the system 
and process of this invention to certain sites of a manufacturer intended for use 
of its customers, such as product information and customer service sites. Figure 
5 4 shows a network access control system 60 that is used by an ISP to provide a 
video game service. Subscriber 62 utilizes the ISP, but is not a subscriber to the 
game service. Subscriber 64 is a subscriber to the game service. Both access 
the ISP through communications server 66. The communications server 66 and 
access server 68 aie connected in ISP network 70, along with an ISP video game 

10 server 72. A third party video game server 74 is accessible through the ISP 
network on Internet 76. The communications server 66 authorizes a requested 
access by subscriber 64 to the game servers 72 and 74 and denies access to those 
servers to subscriber 62 in the same manner as the communications server 18 in 
the Figures 1-3 embodiment. Other than as shown and described, the 

15 construction and operation of the Figure 4 embodiment is the same as that of the 
Figures 1-3 embodiment. 

Figure 5 shows a network control access system 80 with which an ISP 
can work with a customer of the ISP, in this example an auto manufacturer, by 
allowing the auto manufacturer to provide Internet access software for accessing 

20 certain of its sites with a unique log in name, such as VIPguest. When the 
manufacturer's clients dial into network 82 and log in as VIPguest, a network 
access filter can be downloaded to communications server 84 from access server 
86 which only permits visibility to the predefined auto dealer sites 87. In this 
way, the auto manufacturer can provide special sales and marketing services 

25 without any investment in their own network and dial-in numbers. The ISP can 
offer this service using its existing infrastructure. The ISP can use its RADIUS 
server 88 accounting and billing to charge the auto manufacturer for access 
through the network 82, Other than as shown and described, the construction 
and operation of the Figure 5 embodiment is the same as that of the Figures 1-4 

30 embodiments. 

It should now be readily apparent to those skilled in the art that a novel 
system and process for controlling network access capable of achieving the 
stated objects of the invention has been provided. The system and process for 
network access control allows customized Internet content monitoring based on a 

35 centralized permit model. The system and process is readily implemented using 
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hardware that is typically present in most installations for Internet access. The 
system and process utilizes an extension of firewall filtering to implement the 
content monitoring. 

It should further be apparent to those skilled in the an that various 
changes in form and details of the invention as shown and described may be 
made. It is intended that such changes be included within the spirit and scope of 
the claims appended hereto. 
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WHAT IS CLAIMED IS: 

1. A system for controlling network access, which comprises: 

(a) a local- access server having a local cache for storage of recently used 
user filters and sites accessible from said system for which access has been 

5 requested; 

(b) a network access server coupled to said local access server and 
having storage for user filters and site lists; 

(c) access client software resident in said local access server for using the 
user filters and sites for which access has been requested in said local cache for 

10 making an access determination for a site to which a user requests access and for 
communicating with said network access server to obtain an access determination 
from the user filters and site lists stored at said network access server if an access 
determination cannot be made from the user filters and sites stored in said local 
cache. 



2. The system of claim 1 in which said access client software is 
configured to identify the sites for which access is requested from addresses in 
information packets requesting the accesses. 

20 3. The system of claim 1 additionally comprising: 

(d) a user authentication and authorization server coupled to said local 
access server and having storage for user profiles including user passwords and 
identifications of user filters for determining site access, said local access server 
additionally including user authentication and authorization client software 

25 resident therein, said user authentication and authorization client software being 
configured to communicate with said user authentication and authorization server 
when the user logs into said network access server and to supply user filter 
identifications to said access client software. 



30 4. The system of claim 1 in which user requests for access are 

transmitted as Internet Protocol packets having headers with addresses and said 
access client software is configured to use the addresses to find a requested site 
in a site list for determining whether access to the request site will be granted. 
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5. A process for controlling network access in a system of 
interconnected networks, which comprises: 

(a) defining user access filters for determining if a request by a user for 
access to a desired site in the system should be permitted; 
5 (b) storing in a cache local to an access server recently used user access 

filters and sites accessible from said system for which access has been requested; 

(c) storing user filters and site lists at a network access server coupled to 
the local access server, 

(d) attempting to use the user filters and sites for which access has been 
10 requested in the local cache for making an access determination for a site to 

which a user requests access; and 

(e) using at least one of the user filters and site lists stored at said 
network access server to obtain an access determination if an access 
determination cannot be made from the user filters and sites stored in said local 

15 cache. 



6. The process of claim 5 in which sites for which access is requested 
are identified from addresses in information packets requesting the accesses. 

20 7. The process of claim 5 in which a user authentication and 

authorization server supplies user filter identifications to the access server. 

8. The process of claim 5 in which user requests for access are 
transmitted as Internet Protocol packets having headers with addresses and the 

25 .addresses are used to find a requested site in a site list for determining whether 
access to the request site will be granted, 

9, A storage medium having stored therein a program, which when 
executed on a networked data processing system, will control user access to sites 

30 accessible in a network of networks by: 

(a) defining user access filters for determining if a request by a user for 
access to a desired site in the system should be permitted; 

(b) storing in a cache local to an access server recendy used user access 
filters and sites accessible from said system for which access has been requested; 



WO 98/28690 



PCT/US97/23616 



-14- 

(c) storing user filters and site lists at a network access server coupled to 
the local access server, 

(d) attempting to use the user filters and sites for which access has been 
requested in the local cache for making an access determination for a site to 

5 which a user requests access; and 

(e) using at least one of the user filters and site lists stored at said 
network access server to obtain an access determination if an access 
determination cannot be made from the user filters and sites stored in said local 
cache. 



10. The storage medium of claim 9 in which said program is configured 
to identify sites for which access is requested from addresses in information 
packets requesting the accesses. 

15 1 1. The storage medium of claim 9 in which said program is configured 

to utilize a user authentication and authorization server to supply user filter 
identifications to the access server. 



12. The storage medium of claim 9 in which said program is configured 
20 to receive user requests for access as Internet Protocol packets having headers 
with addresses and said program is further configured to utilize the addresses to 
find a requested site in a site list for determining whether access to the request 
site will be granted. 
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